In this video, ProofID consultant Ben Andrews demonstrates how quickly single sign-on (SSO) to Salesforce can be implemented using PingFederate. SSO provides a distinct advantage as users can access multiple resources using a single username and password.
The demo shows a federated trust established between the PingFederate identity provider (IdP) and Salesforce, the service provider (SP). Metadata is exchanged between the two parties, creating the trust. Federated SSO can then occur as Salesforce delegates authentication to PingFederate. SSO is accomplished using SAML (Security Assertion Markup Language), an XML-based standard that facilitates the transfer of information between PingFederate and Salesforce.
To break down the steps involved during SSO:
- The user browses to Salesforce
- Salesforce uses the custom domain that was accessed to identify the the user originates from
- Salesforce redirects the user to PingFederate, sending a SAML request
- The user authenticates, and PingFederate validates the credentials against the local user store
- If authentication is successful, the user is redirected back to Salesforce, along with a SAML response
- The user is logged into Salesforce using the claims provided in the SAML assertion from PingFederate
In addition to the user only requiring a single set of credentials, SSO provides several other advantages…
As the IdP is responsible for authentication, it automatically revokes access to the application when a user leaves the organization.
With fewer passwords in use, the IT helpdesk would expect a lower number of password reset requests.
Password policy of the IdP applies
Administrators can set one password policy for all applications that adheres to the requirements of the organization.
Improved user experience
Users are more productive as they spend less time attempting to remember or locate multiple sets of credentials.